Smug alert!

I was reading the other day an article about the initial fear of the Mac malware explosion this year that failed to materialize. After MacDefender appeared and caused a kerfuffle and I arrogantly welcomed Apple to our world (that we in the Windows world have been dealing with this stuff forever), Richard Gaywood writes an article where he says that after the initial fear of new Mac viruses/malware, they have tapered off.

His method of tracking this is good – he counts the number of malware definitions in the home grown Mac product and after a ramp up in June, they have leveled off:

The following and graph shows the number of unique malware variants listed in the file as each new version was released.

For a period of several weeks, we see the rapid cat-and-mouse game predicted by people like Ed Bott. Variants of MacDefender appear at the rate of about one a day, and we see a corresponding update of the XProtect definitions file once or even twice a day also. This keeps going until we reach the 21st version of the definitions file, which detects 15 distinct variants of MacDefender (labelled OSX.MacDefender.A through to OSX.MacDefender.O) using 12 different detection signatures.

And then… nothing. No new updates to the file since the 23rd of June.

There are two ways to look at this. It’s possible that the malware kept coming, and Apple either failed to notice it, or just gave up trying to keep up. If that were true, though, we’d expect to still be hearing about it, both in the general press and from TUAW’s contacts throughout the Mac ecosystem of developers and support staff. But we’ve heard nothing.

The other option, then, is that the malware has stopped evolving. The MacDefender authors gave up trying to issue new variants, and nobody else has (so far) taken their place. The Mac malware scene is… well, if not dead, then asleep. Stunned. Pining for the fjords.

It’s a fair analysis. Why have the variants stopped? It’s unlikely that Apple stopped updating their signatures. Thus, the other option is that the MacDefender malware writers gave up (a third option is that there is a problem with his script that counts the signatures). Gaywood is cautiously optimistic in his tones.

Ah yeah, Mac malware. I remember the good old days when Mac marketshare was less than 3% and we didn’t have to worry about malware. But as marketshare started to increase, the doomsdayers warned us that security-by-obscurity would no longer protect us: "Just wait til the market doubles [ to over 5%] then you’ll see the malware writers inundate the Mac".

We waited.

At 5% marketshare, the doomsdayers warned us that security-by-obscurity would no longer protect us: "Just wait til the market doubles [ to over 10%] then you’ll see the malware writers inundate the Mac".

We waited.

We’re still waiting for the inundation, the flood of Mac malware now we’re not protected by obscurity.

As this guy says, Macs were always secure. The reason that the malware author gave up is because it’s too difficult to write them for that platform. The reason nobody ever wrote malware for the Mac is not because the market was too small to devote resources to it but even if they had 100% of the market it wouldn’t work. You just can’t write malware for Macs, Apple is that freaking good.

Because, you know, malware authors give up after a month. They are not at all tenacious, they just try things one or twice and if that doesn’t work, they throw up their hands and say “Oh, that didn’t work. Better luck next platform.”

It doesn’t work that way in real life.

Here’s another theory – there was only one operator behind the MacDefender operation similar to how there was only one person behind the Rustock botnet. In December of last year, the Rustock botnet went silent and nobody knows why. If it was one guy doing it, and he went on vacation, then that explains why it went dark. There was nobody around to control it.

The MacDefender guy may have decided to take a vacation. Or he is retooling. Or his rate of return on the MacDefender malware was too small because the user base wasn’t big enough (because the install base was too small, thus confirming the theory that obscurity still matters). In any case, there is not nearly enough data at this point to make a comment dripping with so much hubris.